U.S. patent application number 10/443698 was filed with the patent office on 2004-11-25 for method and apparatus for a proximity warning system.
This patent application is currently assigned to International Business Machines Corporation. Invention is credited to Girouard, Janice Marie, Hamzy, Mark Joseph, Ratliff, Emily Jane.
Application Number | 20040236952 10/443698 |
Document ID | / |
Family ID | 33450486 |
Filed Date | 2004-11-25 |
United States Patent
Application |
20040236952 |
Kind Code |
A1 |
Girouard, Janice Marie ; et
al. |
November 25, 2004 |
Method and apparatus for a proximity warning system
Abstract
The present invention provides a method, apparatus, and computer
instructions for warning of a presence of a person in a zone having
an inadequate security clearance. Movement of the person in the
zone is detected. A message is broadcast to selected data
processing systems associated with the zone, wherein the data
processing systems initiate actions to protect data in the selected
data processing systems.
Inventors: |
Girouard, Janice Marie;
(Austin, TX) ; Hamzy, Mark Joseph; (Round Rock,
TX) ; Ratliff, Emily Jane; (Austin, TX) |
Correspondence
Address: |
IBM CORP (YA)
C/O YEE & ASSOCIATES PC
P.O. BOX 802333
DALLAS
TX
75380
US
|
Assignee: |
International Business Machines
Corporation
Armonk
NY
|
Family ID: |
33450486 |
Appl. No.: |
10/443698 |
Filed: |
May 22, 2003 |
Current U.S.
Class: |
713/182 |
Current CPC
Class: |
G06F 21/554 20130101;
G06F 21/6218 20130101; G07C 9/28 20200101 |
Class at
Publication: |
713/182 |
International
Class: |
H04K 001/00 |
Claims
What is claimed is:
1. A method in a data processing system for warning of a presence
of a person in a zone having an inadequate security clearance, the
method comprising: detecting movement of the person in the zone;
and broadcasting a message to selected data processing systems
associated with the zone, wherein the data processing systems
initiate actions to protect data in the selected data processing
systems.
2. The method of claim 1, wherein the selected data processing
systems protect data by performing at least one displaying a screen
saver, displaying a login screen, fading a screen to black,
minimizing all windows on a screen, saving and closing selected
documents on the screen, and displaying a warning message on the
screen.
3. The method of claim 1, wherein the person is one of a guest or
an employee.
4. The method of claim 1, wherein the zone is selected from one of
a room, a building, or a portion of a room.
5. The method of claim 1, wherein the person is detected by a badge
on the person.
6. The method of claim 1, wherein the movement of the person is
detected by a security tag on the person.
7. The method of claim 1, wherein the selected data processing
systems parse a document containing security tags to identify
actions used to warn of the presence.
8. A method in a data processing system for warning of a presence
of a person in a zone having an inadequate security clearance, the
method comprising: detecting movement of the person in the zone
from a signal generated by device carried by the person;
identifying a security level using the signal; determining whether
the person has adequate security clearance based on the security
level; and responsive to the person having inadequate security
clearance, broadcasting a message to selected data processing
systems associated with the zone, wherein the message causes the
selected data processing systems to initiate security actions.
9. The method of claim 8, wherein the signal includes an
identification of the person and wherein the identification of the
person is used to identify the security level.
10. The method of claim 8, wherein the signal includes an
identification of the security level.
11. The method of claim 8, wherein the selected data processing
systems initiate the security action by performing at least one
displaying a screen saver, displaying a login screen, fading a
screen to black, minimizing all windows on the screen, saving and
closing selected documents on the screen, and displaying a warning
message on the screen.
12. The method of claim 8, wherein the selected data processing
systems parse a document containing security tags to identify
security actions.
13. The method of claim 8, wherein the selected data processing
systems execute a set of applications having different security
levels and wherein security actions are initiated only for
applications requiring a level of security greater than the
security level.
14. A data processing system comprising: a bus system; a memory
connected to the bus system, wherein the memory includes a set of
instruction; a sensor connected to the bus system, wherein the
sensor detects signals from security tags in a zone; and a
processing unit connected to the bus system, wherein the processing
unit executes the instructions to detect movement of the person in
the zone; and broadcast a message to selected data processing
systems associated with the zone, wherein the data processing
systems initiate actions to protect data in the selected data
processing systems.
15. A data processing system for warning of a presence of a person
in a zone having an inadequate security clearance, the data
processing system comprising: detecting means for detecting
movement of the person in the zone; and broadcasting means for
broadcasting a message to selected data processing systems
associated with the zone, wherein the data processing systems
initiate actions to protect data in the selected data processing
systems.
16. The data processing system of claim 15, wherein the selected
data processing systems protect data by performing at least one
displaying a screen saver, displaying a login screen, fading a
screen to black, minimizing all windows on a screen, saving and
closing selected documents on the screen, and displaying a warning
message on the screen.
17. The data processing system of claim 15, wherein the person is
one of a guest or an employee.
18. The data processing system of claim 15, wherein the zone is
selected from one of a room, a building, or a portion of a
room.
19. The data processing system of claim 15, wherein the person is
detected by a badge on the person.
20. The data processing system of claim 15, wherein the movement of
the person is detected by a security tag on the person.
21. The data processing system of claim 15, wherein the selected
data processing systems parse a document containing security tags
to identify actions used to warn of the presence.
22. A data processing system for warning of a presence of a person
in a zone having an inadequate security clearance, the data
processing system comprising: detecting movement of the person in
the zone from a signal generated by device carried by the person;
identifying a security level using the signal; determining whether
the person has adequate security clearance based on the security
level; and responsive to the person having inadequate security
clearance, broadcasting a message to selected data processing
systems associated with the zone, wherein the message causes the
selected data processing systems to initiate security actions.
23. The data processing system of claim 22, wherein the signal
includes an identification of the person and wherein the
identification of the person is used to identify the security
level.
24. The data processing system of claim 22, wherein the signal
includes an identification of the security level.
25. The data processing system of claim 22, wherein the data
processing systems initiate the security action by performing at
least one displaying a screen saver, displaying a login screen,
fading a screen to black, minimizing all windows on the screen,
saving and closing selected documents on the screen, and displaying
a warning message on the screen.
26. The data processing system of claim 22, wherein the selected
data processing systems parse a document containing security tags
to identify security actions.
27. The data processing system of claim 22, wherein the selected
data processing systems execute a set of applications having
different security levels and wherein security actions are
initiated only for applications requiring a level of security
greater than the security level.
28. A computer program product in a computer readable medium for
warning of a presence of a person in a zone having an inadequate
security clearance, the computer program product comprising: first
instructions for detecting movement of the person in the zone; and
second instructions for broadcasting a message to selected data
processing systems associated with the zone, wherein the data
processing systems initiate actions to protect data in the selected
data processing systems.
29. A data processing system for warning of a presence of a person
in a zone having an inadequate security clearance, the data
processing system comprising: first instructions for detecting
movement of the person in the zone from a signal generated by
device carried by the person; second instructions for identifying a
security level using the signal; third instructions for determining
whether the person has adequate security clearance based on the
security level; and fourth instructions, responsive to the person
having inadequate security clearance, for broadcasting a message to
selected data processing systems associated with the zone, wherein
the message causes the selected data processing systems to initiate
security actions.
Description
BACKGROUND OF THE INVENTION
[0001] 1. Technical Field
[0002] The present invention relates to an improved data processing
system and in particular, a method, apparatus, and computer
instructions for processing data. Still more particularly, the
present invention provides an improved method, apparatus, and
computer instructions for generating notifications in a proximity
warning system.
[0003] 2. Description of Related Art
[0004] Many types of proximity warning systems are used in many
environments. For example, in highly secure research environments,
such as a government laboratory, a warning system is used to alert
others when a guest is escorted into a laboratory. Typically,
warning lights are activated with an optional sound component.
Personnel within the laboratory are expected to protect
confidential material until the guest has left the laboratory. One
drawback to this type of warning system is that the warning system
must be manually activated and deactivated. Further, personnel in
the laboratory are expected to take action to protect confidential
materials, such as those displayed on computer displays.
[0005] In some cases, the alert is generated in response to a guest
swiping a badge to enter a laboratory. In this type of environment,
electronic access control is enforced through access decisions
responsive to the user swiping a badge in a card reader when
entering the laboratory. This kind of system, however, requires all
guests to swipe their badges. Generally, guests are unable to enter
an area without an escort. Only the escort's badge allows access.
As a result, the escort must ensure that the guest also swipes the
guest badge to ensure that the alert is generated, such as flashing
lights within the secured area.
[0006] Both systems require action on the part of the escort, as
well as action on the part of those personnel in the secure area.
Therefore, it would be advantageous to have an improved method,
apparatus, and computer instructions for generating alerts when a
guest or other person having inadequate security clearance enters a
secure area.
SUMMARY OF THE INVENTION
[0007] The present invention provides a method, apparatus, and
computer instructions for warning of a presence of a person in a
zone having an inadequate security clearance. Movement of the
person in the zone is detected. A message is broadcast to selected
data processing systems associated with the zone, wherein the data
processing systems initiate actions to protect data in the selected
data processing systems.
BRIEF DESCRIPTION OF THE DRAWINGS
[0008] The novel features believed characteristic of the invention
are set forth in the appended claims. The invention itself,
however, as well as a preferred mode of use, further objectives and
advantages thereof, will best be understood by reference to the
following detailed description of an illustrative embodiment when
read in conjunction with the accompanying drawings, wherein:
[0009] FIG. 1 is a pictorial representation of a network of data
processing systems in which the present invention may be
implemented;
[0010] FIG. 2 is a block diagram of a data processing system that
may be implemented as a server in accordance with a preferred
embodiment of the present invention;
[0011] FIG. 3 is a block diagram illustrating a data processing
system in which the present invention may be implemented;
[0012] FIG. 4 is a diagram illustrating components used in a
proximity warning system in accordance with a preferred embodiment
of the present invention;
[0013] FIG. 5 is a diagram illustrating components used in
detecting proximity of a person in a security zone in accordance
with a preferred embodiment of the present invention;
[0014] FIG. 6 is a flowchart of a process for monitoring for
movement of a person into a zone in accordance with a preferred
embodiment of the present invention;
[0015] FIG. 7 is a flowchart of a process for monitoring for
movement of a person into a zone in accordance with a preferred
embodiment of the present invention;
[0016] FIG. 8 is a flowchart of a process for processing a warning
message in accordance with a preferred embodiment of the present
invention;
[0017] FIG. 9 is a flowchart of a process for processing a warning
message in accordance with a preferred embodiment of the present
invention;
[0018] FIG. 10 is a flowchart of a process for processing a message
indicating a presence of a person in a zone in accordance with a
preferred embodiment of the present invention;
[0019] FIG. 11 is a flowchart of a process for identifying security
actions for a document in accordance with a preferred embodiment of
the present invention;
[0020] FIG. 12 is a flowchart of a process for identifying security
levels for objects and sub-objects in accordance with a preferred
embodiment of the present invention;
[0021] FIG. 13 is a flowchart of a process for identifying security
actions based on a document in accordance with a preferred
embodiment of the present invention; and
[0022] FIG. 14 is a diagram illustrating a document containing
security tags in accordance with a preferred embodiment of the
present invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
[0023] With reference now to the figures, FIG. 1 depicts a
pictorial representation of a network of data processing systems in
which the present invention may be implemented. Network data
processing system 100 is a network of computers in which the
present invention may be implemented. Network data processing
system 100 contains a network 102, which is the medium used to
provide communications links between various devices and computers
connected together within network data processing system 100.
Network 102 may include connections, such as wire, wireless
communication links, or fiber optic cables.
[0024] In the depicted example, server 104 is connected to network
102 along with storage unit 106. In addition, clients 108, 110, and
112 are connected to network 102. These clients 108, 110, and 112
may be, for example, personal computers or network computers. In
the depicted example, server 104 provides data, such as boot files,
operating system images, and applications to clients 108-112.
Clients 108, 110, and 112 are clients to server 104. Network data
processing system 100 may include additional servers, clients, and
other devices not shown.
[0025] Sensor 114 also is present in network data processing system
100. Sensor may take many forms depending on the implementation. In
these examples, sensor 114 is used in conjunction with processes to
generate alerts for a zone or area when a person with in adequate
security enters that zone. The sensor detects the entry or movement
of the person into the zone by a tag on the person. For example,
the tag may be integrated into a guest or employee badge worn by
the person.
[0026] In the depicted example, network data processing system 100
is a local area network. Clients 108, 110, and 112 may be located
in the zone, along with sensor 114, which monitors for tags worn by
personnel or guests. Server 104 includes the processes used to
receive alerts from sensor 114 and broadcasts appropriate messages
to the clients through wired or wireless communications links in
network 102. Server 104 may be connected directly to sensor 114 or
may be in a remote location in communication with sensor 114.
Network data processing system 100 also may be implemented as a
number of different types of networks, such as for example, an
intranet or a wide area network (WAN). FIG. 1 is intended as an
example, and not as an architectural limitation for the present
invention.
[0027] Referring to FIG. 2, a block diagram of a data processing
system that may be implemented as a server, such as server 104 in
FIG. 1, is depicted in accordance with a preferred embodiment of
the present invention. Data processing system 200 may be a
symmetric multiprocessor (SMP) system including a plurality of
processors 202 and 204 connected to system bus 206. Alternatively,
a single processor system may be employed. Also connected to system
bus 206 is memory controller/cache 208, which provides an interface
to local memory 209. I/O bus bridge 210 is connected to system bus
206 and provides an interface to I/O bus 212. Memory
controller/cache 208 and I/O bus bridge 210 may be integrated as
depicted.
[0028] Peripheral component interconnect (PCI) bus bridge 214
connected to I/O bus 212 provides an interface to PCI local bus
216. A number of modems may be connected to PCI local bus 216.
Typical PCI bus implementations will support four PCI expansion
slots or add-in connectors. Communications links to clients 108-112
in FIG. 1 may be provided through modem 218 and network adapter 220
connected to PCI local bus 216 through add-in boards.
[0029] Additional PCI bus bridges 222 and 224 provide interfaces
for additional PCI local buses 226 and 228, from which additional
modems or network adapters may be supported. In this manner, data
processing system 200 allows connections to multiple network
computers. A memory-mapped graphics adapter 230 and hard disk 232
may also be connected to I/O bus 212 as depicted, either directly
or indirectly.
[0030] Those of ordinary skill in the art will appreciate that the
hardware depicted in FIG. 2 may vary. For example, other peripheral
devices, such as optical disk drives and the like, also may be used
in addition to or in place of the hardware depicted. The depicted
example is not meant to imply architectural limitations with
respect to the present invention.
[0031] The data processing system depicted in FIG. 2 may be, for
example, an IBM eServer pSeries system, a product of International
Business Machines Corporation in Armonk, N.Y., running the Advanced
Interactive Executive (AIX) operating system or LINUX operating
system.
[0032] With reference now to FIG. 3, a block diagram illustrating a
data processing system is depicted in which the present invention
may be implemented. Data processing system 300 is an example of a
client computer. Data processing system 300 employs a peripheral
component interconnect (PCI) local bus architecture. Although the
depicted example employs a PCI bus, other bus architectures such as
Accelerated Graphics Port (AGP) and Industry Standard Architecture
(ISA) may be used. Processor 302 and main memory 304 are connected
to PCI local bus 306 through PCI bridge 308. PCI bridge 308 also
may include an integrated memory controller and cache memory for
processor 302. In the depicted example, local area network (LAN)
adapter 310, SCSI host bus adapter 312, and expansion bus interface
314 are connected to PCI local bus 306 by direct component
connection. In contrast, audio adapter 316, graphics adapter 318,
and audio/video adapter 319 are connected to PCI local bus 306 by
add-in boards inserted into expansion slots. Expansion bus
interface 314 provides a connection for a keyboard and mouse
adapter 320, modem 322, and additional memory 324. Small computer
system interface (SCSI) host bus adapter 312 provides a connection
for hard disk drive 326, tape drive 328, and CD-ROM drive 330.
[0033] An operating system runs on processor 302 and is used to
coordinate and provide control of various components within data
processing system 300 in FIG. 3. The operating system may be a
commercially available operating system, such as Windows XP, which
is available from Microsoft Corporation. Instructions for the
operating system and applications or programs are located on
storage devices, such as hard disk drive 326, and may be loaded
into main memory 304 for execution by processor 302.
[0034] Those of ordinary skill in the art will appreciate that the
hardware in FIG. 3 may vary depending on the implementation. Other
internal hardware or peripheral devices, such as flash read-only
memory (ROM), equivalent nonvolatile memory, or optical disk drives
and the like, may be used in addition to or in place of the
hardware depicted in FIG. 3. Also, the processes of the present
invention may be applied to a multiprocessor data processing
system.
[0035] The depicted example in FIG. 3 and above-described examples
are not meant to imply architectural limitations. For example, data
processing system 300 also may be a notebook computer or hand held
computer in addition to taking the form of a PDA. Data processing
system 300 also may be a kiosk or a Web appliance.
[0036] The present invention provides an improved method,
apparatus, and computer instructions for automatically detecting
guests or personnel with inadequate security clearance in a zone or
area and warning users and taking other security actions when such
persons are entering the secured area or zone. The mechanism of the
present invention broadcasts messages to data processing systems
within the zone when a sensor detects a guest or personnel with
inadequate security clearance entering the zone. The different data
processing systems within the zone perform security actions
depending on the sensitivity or confidentiality level of
information presently being displayed or made available at the data
processing systems.
[0037] Turning now to FIG. 4, a diagram illustrating components
used in providing a warning system is depicted in accordance with a
preferred embodiment of the present invention. In these examples,
zone 400 is a room with door 402 providing an entrance into zone
400. Work stations 404, 406, 408, 410, 412, and 414 are present in
zone 400. Person 416 carries tag 418.
[0038] When person 416 enters zone 400, sensor 420 detects person
416 based on tag 418 carried by person 416. The particular type of
sensor tag used may take various forms. For example, a tag
containing electromagnetic, acusto-magnetic, or radio frequency
identification (RFID) technology may be incorporated into a badge
carried by the guest or other personnel. With an RFID system, a
circuit and an antennae are employed, in which sensor 420 may
generate a signal. This signal causes the electric circuit in tag
418 to generate a response when the signal is received by sensor
420. This response may be merely a signal at a preselected
frequency or may actually transmit data. The data may be, for
example, a security level or an identification number used to
identify the person. Further, paper badges may be enhanced with an
appropriate circuit, such as a RFID circuit for use as a tag, such
as tag 418.
[0039] This information received by sensor 410 is transmitted by
sensor 420 to a mechanism, such as server 104 in FIG. 1, which then
broadcasts a message to work stations 404, 406, 408, 410, 412, and
414 in zone 400. In addition, the sensors also may include motion
detectors to detect movement in the areas being monitored. The
motions sensors may be separate from these sensors. A detection of
movement in a zone and an absence of an appropriate signal from a
tag may indicate that a person is in the zone without a badge. This
situation also causes security actions to be taken.
[0040] These data processing systems may then perform different
security actions, depending on the particular implementation. The
security actions are taken to protect data on the data processing
systems in these examples. In one case, all of the data processing
systems may take the same security action. For example, the display
may be obscured, such as displaying a screen saver, displaying a
log-in screen, fading to black, or minimizing all windows on the
screen.
[0041] Additionally, another security action may involve obscuring
elements on displays on the data processing systems, such as
windows. For example, a screen saver may be displayed in a given
window, which contains confidential or security restricted
information, while other windows may remain displayed because no
confidential or secret information is present in those windows. The
window containing confidential or secret information also may be
minimized, the window may fade to black or may be obscured, or a
save and close command may be issued to that window.
[0042] In this type of security action, selecting which windows on
which to perform security actions may be based on access control
levels of information displayed in the windows. For example, if a
time clock program is being executed, in most cases the access
control level will not exceed a defined security level. As a
result, in the window opened by a time clock program will not be
affected by security actions.
[0043] Further, the security actions may be extended to include
sub-objects. For example, a text editor or word processing program
may be an object, while a file is a sub-object. A security level
may be associated with the text editor program and a second
security level may be associated with the file, the sub-object,
being edited. The security level of the window is the greater of
the two elements, the text editor program and the file. If the file
contains confidential secret information, the security level of the
display element is that of the file being edited.
[0044] Actions taken for different applications and for documents
may be implemented using tags within documents. For example, a
document in extensible mark-up language (XML) may contain security
elements and identify a security level of a given component by the
maximum security level of an element within a structure describing
the component. A tag pair, for example, "<xsl:security
level="8">, </xsl:security>" and has various XML
statements located between these two tags. Additionally, security
tags may be stored as an extended attribute of the object or
sub-object, depending on the implementation.
[0045] This XML document may be executed or processed to identify
security levels for components in a windowed system. In these
examples, the document is executed by the client data processing
system on which the security action is to be taken in response to
receiving a message indicating the presence of a guest or person
entering the zone. Alternatively, the extended attributes in a file
system may be used to store security data, rather than employing an
XML document.
[0046] In another example, zone 400 may be divided into two or more
zones in which security actions are taken only when person 416
enters the other zone. For example, sensor 424 monitors zone 422,
while sensor 430 monitors zone 428. No messages are broadcast until
person 416 enters zone 424. At that time, messages are broadcast
only to workstations 404, 406, and 408. When person 416 moves into
zone 428, messages are broadcast only to work stations 410, 412,
and 414. The work stations in zone 424 may return to normal
operation when person 416 leaves zone 422 and enters zone 428 from
zone 422. In this manner, zones may be set up for large areas
without requiring security actions being taken on every data
processing system when a person enters a large room.
[0047] Turning next to FIG. 5, a diagram illustrating components
used in detecting proximity of a person in a security zone is
depicted in accordance with a preferred embodiment of the present
invention. These components include sensor 500 and warning process
502. Sensor 500 detects a presence of tag 504. In response, warning
process 502 may send messages to client process 506 and client
process 508 to initiate one or more security actions as described
above.
[0048] Other processing may occur in warning processor 502,
depending on the information received by warning process 502 by tag
504. If a security level is sent by tag 504, this information may
be included in the message broadcast to client process 506 and
client process 508. If the information received is an
identification of the person, warning process 502 may use this
identification to determine the security clearance that the person
has by querying a database to obtain security clearance information
on the person.
[0049] Warning process 502 may be implemented in server 104 in FIG.
1. Alternatively, this process may be implemented in a data
processing system located in the zone, depending on the particular
implementation. Tag 504 is incorporated into a badge worn by the
person in these examples.
[0050] Client process 506 and client process 508 are processes that
are initiated or respond to a message broadcast to them by warning
process 502. This message may include merely an indication that an
alert is present or may include other information in the message,
such as a security level of the person. Also, if motion is detected
using a motion sensor in the zone, but no signal from a tag is
received, a message may be broadcast to indicate that a person is
present in the zone who does not have a badge. Appropriate security
actions to protect the data are then initiated.
[0051] Turning now to FIG. 6, a flowchart of a process for
monitoring for movement of a person into a zone is depicted in
accordance with a preferred embodiment of the present invention.
The process illustrated in FIG. 6 may be implemented in a warning
process, such as warning process 502 in FIG. 5.
[0052] The process begins by monitoring for a signal (step 600). In
step 600, the process waits to receive a signal from a sensor, such
as sensor 500 in FIG. 5. A determination is made as to whether a
signal from a tag has been detected by the sensor (step 702). If a
signal is not detected, the process returns to step 600. Otherwise,
a message is broadcast to data processing systems associated with
the zone being monitored (step 604), with the process then
returning to step 600.
[0053] In this example, only the presence of a signal is monitored.
No other data is used to generate an alert. The message is
periodically broadcast as long as the signal is detected in the
zone by the sensor. Data processing systems associated with the
zones will continue to take security actions and will periodically
determine whether messages continue to be received. When messages
are no longer continue to be received after a selected period of
time, the security actions may cease.
[0054] In some cases, additional processing may occur with respect
to detecting the signals. In this type of example, a security level
for the person carrying the tag may be included in the signal
generated by the tag. Turning now to FIG. 7, a flowchart of a
process for monitoring for movement of a person into a zone is
depicted in accordance with a preferred embodiment of the present
invention. The process illustrated in FIG. 7 may be implemented in
a warning process, such as warning process 502 in FIG. 5.
[0055] The process begins by monitoring for a signal (step 700). In
step 700, the process waits to receive a signal detected by a
sensor, such as sensor 500 in FIG. 5. A determination is made as to
whether a signal has been detected by the sensor (step 702).
[0056] If a signal is not detected, the process returns to step
700. Otherwise, the security level transmitted with the signal is
identified (step 704). A determination is then made as to whether
the security level is more than a selected threshold level (step
706). If the security level of the person in the zone is greater
than the selected threshold level, no message needs to be broadcast
to the data processing systems in the zone. Alternatively, this
step of comparing thresholds may be implemented at the data
processing systems in the zone.
[0057] If the security level is more than the threshold, a message
is broadcast (step 708) with the process returning to step 700 as
described above. Turning back to step 702, if a signal is not
detected the process also returns to step 700.
[0058] With reference now to FIG. 8, a flowchart of a process for
processing a warning message is depicted in accordance with a
preferred embodiment of the present invention. The process
illustrated in FIG. 8 may be implemented in data processing system
in a zone, such as workstation 404 in FIG. 4.
[0059] The process begins by receiving a message (step 800). The
message is received from a warning process, such as warning process
502 in FIG. 5. A warning message is displayed in the display of the
data processing system (step 802), with the process terminating
thereafter. This process is a simple illustration of a security
action that is taken.
[0060] With reference now to FIG. 9, a flowchart of a process for
processing a warning message is depicted in accordance with a
preferred embodiment of the present invention. The process
illustrated in FIG. 9 may be implemented in data processing system
in a zone, such as workstation 404 in FIG. 4.
[0061] The process begins by receiving a message (step 900). The
message is received from a warning process, such as warning process
502 in FIG. 5. In response to receiving the message, a security
action is performed (step 902). Many types of security actions may
be performed from displaying a screen saver on the entire display
to minimizing only windows having secret or confidential
information. The process then waits for a period of time (step
904). Thereafter, a determination is made as to whether another
message has been received (step 906). If another message has been
received the process returns to step 904 as described above.
[0062] Otherwise, the security action is ended (step 908) with the
process terminating thereafter. By monitoring for additional
messages, the cessation of receiving messages is used to indicate
that security actions no longer need to be taken. Alternatively,
the present invention may monitor for an absence of messages if
motion is detected in the area being monitored. Such a situation
would indicate that a person is present without an appropriate
badge.
[0063] In FIG. 10, a flowchart of a process for processing a
message indicating a presence of a person in a zone is depicted in
accordance with a preferred embodiment of the present invention.
The process illustrated in FIG. 10 may be implemented in data
processing system in a zone, such as workstation 404 in FIG. 4.
[0064] The process begins by receiving a message (step 1000). The
message is received from a security process, such as security
process 502 in FIG. 5. A security level is identified from the
message (step 902). Thereafter, applications requiring a higher
security level than that in the message are identified (step 1004).
Security actions are performed for the identified applications
(step 1006).
[0065] Next, FIG. 11 is a flowchart of a process for identifying
security actions for a document in accordance with a preferred
embodiment of the present invention. The process illustrated in
FIG. 11 may be implemented in data processing system in a zone,
such as workstation 404 in FIG. 4.
[0066] The process begins by receiving a message from a security
process (step 1100). In these examples, the tags in the documents
are pre-parsed when the document is first loaded onto a data
processing system. With the pre-parsed tags, a determination is
made as to whether security tags are present in the document (step
1102). If security tags are found in the document, a security level
is identified for the document using the identified security tags
(step 1104). A security level is identified from the message (step
1106).
[0067] Next, a determination is made as to whether the security
level of the document is greater than the security level of the
message (step 1108). If the security level of the document is
greater than the security level of the message, a security action
is performed for the document (step 1110), with the process
terminating thereafter.
[0068] With reference again to step 1108, if the security level of
the document is not greater than the security level of the message,
the process terminates. The process also terminates in step 1102 if
security tags are not found in the document. Although the tags are
pre-parsed in this example, the tags could be parsed when the alert
is received depending on the particular implementation.
[0069] This process may be used to identify security levels for
different objects, including objects and sub-objects. The process
may be used to identify security levels for objects upon object
execution and loading of sub-objects associated with object
execution. In this manner, security levels for windows being
displayed may be identified as a maximum of the identified security
levels for the object.
[0070] Turning now to FIG. 12, a flowchart of a process for
identifying security levels for objects and sub-objects is depicted
in accordance with a preferred embodiment of the present invention.
The process illustrated in FIG. 12 may be implemented in data
processing system in a zone, such as workstation 404 in FIG. 4.
[0071] The process is initiated upon object execution and
sub-object load in this example. The process begins by identifying
a security level for the object (step 1200). Thereafter, the
security level of any sub-objects is identified (step 1202).
Thereafter, the identified security level for the window is a
maximum of the identified security levels (step 1204) with the
process terminating thereafter. The security actions may be
performed on a window level or the security level for all the
windows may be aggregated to identify the security level for the
entire system.
[0072] Next, FIG. 13 is a flowchart of a process for identifying
security actions for an entire data processing system depicted in
accordance with a preferred embodiment of the present invention.
The process illustrated in FIG. 11 may be implemented in data
processing system in a zone, such as workstation 404 in FIG. 4.
[0073] The process begins by receiving a message from a security
process (step 1300). Thereafter, a document is parsed for security
tags (step 1302). Security levels are identified for objects by
nodes associated with the security tags (step 1304). The security
levels are assigned to objects in the data processing system using
the security levels identified in the nodes (step 1306).
Thereafter, a comparison of the security levels objects in the data
processing system is made with the security level in the message
(step 1308), and security actions are performed for objects having
a higher security level than the security level in the message
(step 1310), with the process terminating thereafter.
[0074] In step 1308, the security actions may be implemented on a
per object basis or a system level. With this process, the security
level may be compared on a per object basis or a system level basis
depending on the particular implementation.
[0075] In the example in FIG. 13, the document may be an XML
document containing security tags as described above. The document
is parsed to identify security levels for different objects and the
security values are imputed or assigned to the objects in a manner
allow for appropriate security actions to be taken by the data
processing system. These objects may be, for example, programs,
files, and windows. The XML document allows for flexibility in
changing or adding objects as well as the security level that is to
be associated with the objects.
[0076] FIG. 14 is a diagram illustrating a document containing
security tags in accordance with a preferred embodiment of the
present invention. In this example, the document contains security
tags 1400 and 1402, which are a pair of tags defining the security
level of objects identified between those tags as being security
level 8. The pair of tags formed by tags 1404 and 1406 define the
security level of the entire documents as being security level 1.
Tags 1400 and 1402 are nested within tags 1404 and 1406 in this
example.
[0077] Thus, the present invention provides an improved method,
apparatus, and computer instructions for generating alerts and
initiating security actions in a zone or area that is to be
secured. A presence of a person in a zone is detected via a tag
carried by the person. When a person is detected, messages are sent
to data processing systems in the zone to initiate security actions
without require manual or human intervention to protect secret or
confidential information.
[0078] It is important to note that while the present invention has
been described in the context of a fully functioning data
processing system, those of ordinary skill in the art will
appreciate that the processes of the present invention are capable
of being distributed in the form of a computer readable medium of
instructions and a variety of forms and that the present invention
applies equally regardless of the particular type of signal bearing
media actually used to carry out the distribution. Examples of
computer readable media include recordable-type media, such as a
floppy disk, a hard disk drive, a RAM, CD-ROMs, DVD-ROMs, and
transmission-type media, such as digital and analog communications
links, wired or wireless communications links using transmission
forms, such as, for example, radio frequency and light wave
transmissions. The computer readable media may take the form of
coded formats that are decoded for actual use in a particular data
processing system.
[0079] The description of the present invention has been presented
for purposes of illustration and description, and is not intended
to be exhaustive or limited to the invention in the form disclosed.
Many modifications and variations will be apparent to those of
ordinary skill in the art. The embodiment was chosen and described
in order to best explain the principles of the invention, the
practical application, and to enable others of ordinary skill in
the art to understand the invention for various embodiments with
various modifications as are suited to the particular use
contemplated.
* * * * *